[unisog] MS-SQL Zombie DDoS

John Valenti valenti at msu.edu
Tue Jan 28 04:58:11 GMT 2003


My desktop system was hit over the weekend. I tried your suggestion below
and got back:

UDP 0.0.0.0:1434 *.* LISTENING

Does 0.0.0.0 count as accessible to the Internet?

Oh, I'm pretty sure my problem was caused by Sitekeeper. I downloaded a demo
version of that a few months back. I ran Windows Update as recently as last
week and it didn't warn me about the MSDE bug.

-jav
John Valenti, Systems Analyst SLIR, Michigan State University

----- Original Message -----
From: "cam {Cam Beasley, ISO}" <cam at forum.utexas.edu>
To: <unisog at sans.org>
Sent: Monday, January 27, 2003 1:23 PM
Subject: RE: [unisog] MS-SQL Zombie DDoS


>
>
> %>More MSDE2000 apps that are potentially vulnerable (not certain
> %>that all are network aware)..
> %>
> %><http://sqlsecurity.com/DesktopDefault.aspx?tabindex=10&tabid=13>
>
> Many of the MSDE applications do not open ports to the network
> interface, only to localhost. I don't think that these apps
> are vulnerable to attack -- unless super weird internal
> bridging from private ==> public occurs.
>
> If the originating address (192.168.10.13 in this case below)
> is not accessible to the Internet, then there shouldn't be a
> risk of infection..  If the IP is public, then yes..
>
> Folks can check their Windows systems to see whether
> any MSDE apps are vulnerable. From the command line, type
>
>    netstat -an | find "1434"
>
> If port 1434 is open, the response will be something along the
> lines of:
>
>    UDP    192.168.10.13:1434        0.0.0.0:0         LISTENING
>
> Otherwise you'll just get the command prompt back again.
>
> ~cam.
>
> Cam Beasley
> ITS/Information Security Office
> The University of Texas at Austin
> 512.475.9242
>
>



More information about the unisog mailing list